Introduction to Application Permission Management

Background

Organizations typically have multiple application systems for daily communication and business operations. At the same time, members within the organization may have different access to these application systems due to factors such as department, position, or role. Authorization for each application is usually handled separately by administrators within each application system, leading to decentralized and disorganized management of application permissions, which makes centralized authorization and revocation inconvenient.

Feature Introduction

IDaaS provides permission management capabilities oriented towards the "application side", including "roles, resources, permissions" on the application side. Bamboo Cloud IDaaS abstracts a 3-layer relationship model for application-side permission management:

1. "Resource Objects": Includes various resource objects such as users, organizations, business data, etc., that you wish to manage in IDaaS.
2. "Permissions": Includes functional permission types like menus, buttons, and data permission types.
3. "Application-side Roles": Define roles for the application, supporting the association of user members to roles.

Scenario Selection

The above 3-layer model is hierarchical. Based on the management needs of application integration, the integration relationship between the application and IDaaS is typically divided into three categories. You can choose the configuration type according to your actual usage:

1. If you only need IDaaS to manage up to the "application account" level, then simply grant application accounts to users in the "Authorization Management" tab of that application.

2. If you need IDaaS to manage up to the "application account + application role" level, when configuring application information, you only need to configure "Role-based Application Permission Management" in the "Application-side Permissions" tab, maintain the corresponding application role information, and assign these application roles to the respective application accounts.

3. If you need IDaaS to manage "application account + application role" while also controlling the application's "fine-grained functional permissions and data permissions", i.e., manage application permissions under application roles and assign application roles to application accounts. When configuring application information, you need to configure "Application Permission Management based on Roles, Permissions, and Resources" in the "Application-side Permissions" tab to achieve fine-grained permission control for the application within the IDaaS platform.